OAuth2 Access token endpoint returning "JWS signature invalid"

Jump to solution
ojhaashish
Community Member

---Problem---

Oauth endpoint post token service throwing 400 response with below mentioned error. I have used correct endpoint with parameters and used post method to call the URL https://<mydomain>/login/oauth2/token. My JWT data is valid as perjwt.io debugger when used public key to validate signature.

 

 

 

{"error":"invalid_request","error_description":"JWS signature invalid."}

 

 

 

--- Details ---

I am working on LTI 1.3 integration + Assignment grade services.
1. I have successfully installed the canvas instance by following this link https://github.com/instructure/canvas-lms/wiki/Production-Start 
2. My LTI 1.3 application launched working fine.
3. But while using the Assignment Grade Services to post score, I am not getting access token instead I am getting the "JWS signature invalid" with 400 header status.
4. I have followed this link to make a post request to get the access token. token https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#post-login-oauth2-token 

Here is the information contained in the body of the post request:

 

 

{
  "grant_type": "client_credentials",
  "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
  "client_assertion": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNPaVdic1RwQzRlZEZvSkdqbGlGemdGUVFmZ0JIblBrTGJ1RWpYS2tiaG1VbllqRHNjYWdsaEllRU1RZUpWQnYifQ.eyJpc3MiOiJodHRwczovL3N0YWdpbmcubXlkb21haW4uY29tIiwic3ViIjoiMTAwMDAwMDAwMDAwMDEiLCJhdWQiOiJodHRwczovL2NhbnZhcy5teWRvbWFpbi5jb20vbG9naW4vb2F1dGgyL3Rva2VuIiwiaWF0IjoxNjIwNzk2OTQ4LCJleHAiOjE2MjA3OTcwMTMsImp0aSI6Imx0aS1zZXJ2aWNlLXRva2VuYmRmMzlkNTFmMDYxNmZhMWMzMGJkYTJmYTQ2YWU3NmFmZjI3YjFlMTU2YWZiNmVmYjU2MTBlMDU3ZWUwMWM3ZiJ9.bSELJ3HQSQJQpeh75x_OOfBAZIWrMprYD9bK7S6nA1NUi483Yxgk2MDT6ZYRP9-eI03HoQdr9aP2Wv121qm9SuMO0KLUZgQ01rO3GmfyZhOS9yat0AVJvOxiEyRNSJD9W4M4ZcHBPw8UJ_KnywGCKRKRiBBih2JLoquwmP9NomHNvKlW--9pUM3amGH1z9P940kJIqdcVulSTDw2VUBnsjd1J6ngkG4DKgi1BwDaldhhU0yPzkiAO-UJRJHoqrxkYnYfJ5Q_Y6SnvgsHKAMiRNnhHKcqQetWh_4mTYl0Qmh3h6B6EafjVdxIdcMiIyCJGz3cUn8_XigCu1qPXBvEwA",
  "scope": "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly https://purl.imsglobal.org/spec/lti-ags/scope/score"
}

 

 

Decoded JWT:

 

 

Header:
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "3OiWbsTpC4edFoJGjliFzgFQQfgBHnPkLbuEjXKkbhmUnYjDscaglhIeEMQeJVBv"
}

Payload:
{
  "iss": "https://staging.mydomain.com",
  "sub": "10000000000001",
  "aud": "https://canvas.mydomain.com/login/oauth2/token",
  "iat": 1620796948,
  "exp": 1620797013,
  "jti": "lti-service-tokenbdf39d51f0616fa1c30bda2fa46ae76aff27b1e156afb6efb5610e057ee01c7f"
}

 

 

I can verify the JWT data place inside the "client_assertion" field using my public key and as per JWT.io debugger my signature is valid.

 

 

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ljLtgYaAP3ByNWEt5WD
aL8BpOc+BvVljjigdLipFI5Mk1Ey9XdM7ywIL5r5zDMRLokGh3p/TinjufVd48D7
It0gtOQ8gLTQ+5Qsi+wcm2mSKRj/nz20S1bdbsozbg5JrIN2goo/o9DXgoe9+FL0
PenWrDjOYQP8cLc5b0LcYDP6t81NdmJBG63toOXUXhOTip3u7GjnK+Zi+9TSZm2T
v+U27aRY4ihJ0vqx7k2HvEIOPxZuVHLn8LGMUwErSPNvm7t/t0WkYtnPR+/yN/bA
4DRNR0dWPlns3KLyDAVpN+bZYCZDbHFI0zj6Lh+YhNSRA7KrY9C5zoPvd3QP5jq7
JQIDAQAB
-----END PUBLIC KEY-----

 

 


5. Inside the canvas platform,  the LTI 1.3 tool configuration contains mentioned Public JWK data and I have enabled all permissions under LTI Advantage Services.

 

 

{
    "kty": "RSA",
    "alg": "RS256",
    "use": "sig",
    "e": "AQAB",
    "n": "6ljLtgYaAP3ByNWEt5WDaL8BpOc-BvVljjigdLipFI5Mk1Ey9XdM7ywIL5r5zDMRLokGh3p_TinjufVd48D7It0gtOQ8gLTQ-5Qsi-wcm2mSKRj_nz20S1bdbsozbg5JrIN2goo_o9DXgoe9-FL0PenWrDjOYQP8cLc5b0LcYDP6t81NdmJBG63toOXUXhOTip3u7GjnK-Zi-9TSZm2Tv-U27aRY4ihJ0vqx7k2HvEIOPxZuVHLn8LGMUwErSPNvm7t_t0WkYtnPR-_yN_bA4DRNR0dWPlns3KLyDAVpN-bZYCZDbHFI0zj6Lh-YhNSRA7KrY9C5zoPvd3QP5jq7JQ",
    "kid": "3OiWbsTpC4edFoJGjliFzgFQQfgBHnPkLbuEjXKkbhmUnYjDscaglhIeEMQeJVBv"
}

 

 

 

I have read this discussion too https://community.canvaslms.com/t5/Developers-Group/JWS-signature-invalid/td-p/400323/page/2 but as per the suggested solution my public key is correct and have used the same kid while configuring the tool inside the platform.

I am totally stuck and no idea how to fix this please help me.

Labels (4)
0 Likes
1 Solution
svickers2
Community Contributor

I can't see anything obviously wrong with your request either.  Check that your tool configuration in Canvas does not have a Public JWKS URL defined as well as a value for the Public JWK.  As I recall, if both are defined the URL takes precedence.

View solution in original post

0 Likes